From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 25 Jun 2025 11:19:59 +0000 (+0200)
Subject: nspawn: Allow bpf() syscall if CAP_BPF is retained
X-Git-Tag: v258-rc1~253
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9cb6d2bf859f0b28953d18ae647ca19e81a1b55a;p=thirdparty%2Fsystemd.git

nspawn: Allow bpf() syscall if CAP_BPF is retained

CAP_BPF is closely associated with the bpf() syscall so it makes sense
to allow the latter if the former is retained.
---

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 710c874ddd2..6956689ab57 100644
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -108,6 +108,7 @@ static int add_syscall_filters(
                 { CAP_SYS_BOOT,       "reboot"                       },
                 { CAP_SYSLOG,         "syslog"                       },
                 { CAP_SYS_TTY_CONFIG, "vhangup"                      },
+                { CAP_BPF,            "bpf",                         },
 
                 /*
                  * The following syscalls and groups are knowingly excluded:
@@ -117,7 +118,6 @@ static int add_syscall_filters(
                  * @pkey
                  * @swap
                  *
-                 * bpf
                  * fanotify_init
                  * fanotify_mark
                  * kexec_file_load